@Haney That's what it was exactly. I'm sure it'll chill after a while. :)
–
KendraAug 25 '14 at 23:43

2

Seems like my workplace firewall is blocking most of these, which in turn then crashes my current tab, good idea, but if it is blocked at work / public networks then it's going to be a hindrance more than anything :(
–
JoeAug 26 '14 at 8:49

4

I wonder how long it will be before someone tries to write a snippet that when run applies an upvote to the containing answer (or question)...
–
JonKAug 26 '14 at 13:26

1

@JayBlanchard The snippets run fine for me in Firefox 31.
–
RevanProdigalKnightAug 26 '14 at 13:36

Are the stack snippets broken? Because the server stacksnippets.net seems to have 500 server error issues. And it has been like this for a little while. Any updates on this?
–
Alexander JohansenJan 29 at 13:20

69 Answers
69

Detecting and Requiring Upvotes to View the Result

I'm not totally sure this will work...SE caches the API requests, so I can only update it every minute (I think). I can't test it extensively because I'm starting to run out of requests on my IP for some reason, and I can't upvote my own question. I'm not used to working with APIs, so this may not be very optimized. Please suggest improvements and report your results, I would appreciate it.

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.js"></script>
<div id="message">Upvote to see the result!</div>
<div id="counter">Time until next request: <span></span>
</div>
<div id="postCounter">This answer had <span></span> votes when you loaded the demo.</div>

The 60 second delay really kills it. It would be nice if you could do if($x('//*[@id="answer-270116"]/table/tbody/tr[1]/td[1]/div/a[1]')[0].className‌​.match('vote-up-on')){ handleUpVote() } but the sandboxing is sure to get in the way.
–
Richard Bronosky2 hours ago

Conclusion : It will be great if we can use Auto Prefixer, Prefix free like general plugins

//Made for Stack Overflow Code Testing
//Unicorn Inspired by http://drbl.in/kayh
//Made by Mr. Alien
/*
* Just created in a hurry, so won't refactor my CSS
* as of now, also I can drastically reduce
* the markup but I won't do it right now
*/

This is great. Are you supposed to be able to just blast through walls though?
–
j.f.Aug 26 '14 at 15:23

6

@j.f. Pickaxes were my favorite think in Nethack (archaeologist class all the way!), but it is a bit odd that you can just blast through walls by default. I've made it a toggleable option instead!
–
apsillersAug 26 '14 at 15:31

1

Pressing UP arrow or DOWN arrow for me is causing the page to scroll up or down a line at the same time the player moves up or down.
–
CᴏʀʏSep 9 '14 at 22:33

6

This is a little difficult to play with when your keyboard is in dvorak...
–
JennOct 29 '14 at 22:26

Users don't always notice the horizontal scrollbar on code snippets, and it's even harder to notice when the good code obviously scrolls, but not as much as the scrollbar indicates. This can lead to users' credentials being stolen unintentionally.

I would highly suggest more of a warning when clicking "Run code snippet" to warn against this danger. Perhaps just a warning above/below the snippet when it's run that warns that content could be malicious?

<p id="main-warning">The image below was requested from another server. It could just as easily have been a 1px by 1px image hidden like the rest of this html. This makes it very easy for someone to collect credentials of several users (especially users new to functionality). It likely won't be noticed until someone familar with functionality comes across it, or someone tries to edit it.</p>
<img id="test" src="http://placehold.it/400x100/"> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script><div id="provider"><p>Please log in to view Stack Snippet.</p><span id="provider-google"><img src="http://placehold.it/16x16/5081f1/ffffff&text=g"> Log in using Google</span></div><div id="login"><div><img src="http://placehold.it/100x40&text=Google"><p>Sign in with your Google Account</p><p class="warning">Don't type in an actual password, it will be sent in a request when submitting</p><form id="login-form" method="post" action="#"><p><input id="login-email" type="email" placeholder="Email" autofocus required></p><p><input id="login-password" type="password" placeholder="Password" required></p><p><button id="login-button" type="submit">Sign in</button></p></form></div></div>

@Haney Aye. And it could obviously be expanded to the other services. I just did enough to get the point across ;)
–
bfrohsAug 26 '14 at 20:37

3

Additionally, if it matters, it could likely be possible to save state so each user only sees the message once. Either with cookies, or trying to load an image with Image() and checking if it fails or not (and having the server fail if user already loaded, based on cookie or IP on the server's end).
–
bfrohsAug 26 '14 at 20:44

@Haney I figured it out. It looks like IE9 was better than Firefox, but they fixed that in IE11 so now it's less smart again. Phew. That was a close one.
–
Matthew HaugenAug 26 '14 at 5:08

6

@DavidFullerton - JS Bin does have some protection from infinite loops and bad performance in general: jsbin.com/blog/protection , including an open source loop protection module: github.com/jsbin/loop-protect . It's easy to say "halting problem" and give up, but it turns out there is a lot you can do to help your users.
–
KobiAug 26 '14 at 8:29

6

@Haney: On second popup, firefox asks if I want to stop showing popups.
–
staticxAug 26 '14 at 10:48

Yes, it is meant to fail. If either of those worked, this feature would have issues. Feel free to try other more complicated exploits - lots of stuff is closed down by the very nice setup (iframe in another domain, locked down so that JS doesn't even have access to cookies).
–
Sean VieiraAug 26 '14 at 1:31

2

@Kyllopardiun - I updated the runner to show checkboxes for security tests where the browser succeeded in blocking the "attack". Security holes will show up in red with a full stack trace, but good security measures will show up with a green checkmark next to them.
–
Sean VieiraAug 26 '14 at 15:55

This should have been done way sooner.

@tbodt, why would it be recursing at all? It's writing hello world in three different ways, one with javascript, one with html, and one with CSS on the sole element in the body tag.
–
KyleMitAug 29 '14 at 20:09

If it was true, i would except to don't see the "Run code snippet" button at all :)
–
Marco AciernoAug 27 '14 at 17:26

3

@MarcoAcierno a lot of people are gullible, and a lot of sites don't tell you that you can't do something until you try to do it.
–
nhinkleAug 27 '14 at 17:29

1

@MarcoAcierno Consider SO's vote buttons and "add comment" link button -- those are all visible to users who can't use them, and the site doesn't mention it until you try to use one of them.
–
apsillersAug 28 '14 at 15:01

1

Possible solutions: 1. run code in new window like a JSFiddle. different domain e.g. stackoverflowsnippets.com. use these cues to indicate that it isn't as trustworthy as the original stackoverflow.com. 2. annoying popup to warn you of the danger and then click accept (uck!). 3. snippets need reputation level to create immediately. if you don't have the rep someone else needs to approve. although that could drive people back to using jsfiddle. 4. moderate quickly, automatically prioritise any snippet with 'username' or 'password' etc.
–
Martin CapodiciSep 1 '14 at 21:45